Escape wildcards when searching LDAP by group name.

CHANGELOG-EE

@@ -2,6 +2,7 @@ v 7.9.0 (unreleased)
   - Strip prefixes and suffixes from synced SSH keys:
     `SSHKey:ssh-rsa keykeykey` and `ssh-rsa keykeykey (SSH key)` will now work
   - Check if LDAP admin group exists before querying for user membership
+  - Escape wildcards when searching LDAP by group name.
 
 v 7.8.0
   - Improved Jira issue closing integration

lib/api/ldap.rb

@@ -6,6 +6,8 @@ module API
     resource :ldap do
       helpers do
         def get_group_list(provider, search)
+          search ||= ""
+          search = Net::LDAP::Filter.escape(search)
           Gitlab::LDAP::Adapter.new(provider).groups("#{search}*", 20)
         end
       end
@@ -17,7 +19,7 @@ module API
       #  GET /ldap/groups
       get 'groups' do
         provider = Gitlab::LDAP::Config.servers.first['provider_name']
-        @groups = Gitlab::LDAP::Adapter.new(provider).groups("#{params[:search]}*", 20)
+        @groups = get_group_list(provider, params[:search])
         present @groups, with: Entities::LdapGroup
       end
 

lib/gitlab/ldap/group.rb

@@ -4,6 +4,7 @@ module Gitlab
       attr_accessor :adapter
 
       def self.find_by_cn(cn, adapter)
+        cn = Net::LDAP::Filter.escape(cn)
         adapter.group(cn)
       end